Impact of the Russia-Ukraine Conflict on the Cybercrime Ecosystem
Russia-Ukraine cyberwar 2022-2025 - wiperware, FrostyGoop, hacktivism, and consequences for critical infrastructure in the EU.
Łukasz Drążek 
In January 2024, with temperatures reaching -20 degrees C, over 600 residential buildings in Lviv lost their heating. Not due to a malfunction or shelling - the attack was carried out remotely, over the internet, using the Modbus TCP protocol to manipulate values on the Lvivteploenergo heating plant controllers. The malware, named FrostyGoop, became the first known tool to directly exploit an industrial protocol for sabotage of civilian infrastructure.
This incident is not an anomaly. It is part of a broader pattern that has been taking shape since February 2022 and is changing the rules of the game in cybersecurity worldwide.
WARNING
The number of cyberattacks on Ukraine increased by 70% in 2024 - from 2,541 to 4,315 incidents (CERT-UA). But the consequences extend far beyond Ukraine - Poland records dozens of attempts to probe energy, transport, and digital infrastructure daily.
Cyber Conflict Timeline 2022-2025
The cyber conflict accompanying the conventional war has gone through several distinct phases:
| Period | Phase | Key Events |
|---|---|---|
| January-February 2022 | Preparing the battlefield | WhisperGate, HermeticWiper, data destruction in Ukrainian government institutions |
| February-March 2022 | First wave | Attack on Viasat KA-SAT (thousands of modems across the EU), CaddyWiper, IsaacWiper |
| 2022-2023 | Escalation and adaptation | Industroyer2 vs Ukrenergo, attacks on the telecom sector, mass Gamaredon campaigns |
| 2023-2024 | Evolving tactics | Shift from wiperware to long-term espionage, supply chain attacks |
| January 2024 | FrostyGoop | First malware attacking OT via Modbus TCP, heating cut off in Lviv |
| March 2025 | Attack on Ukrzaliznytsia | Disruption of Ukrainian railway ticketing systems, online service restoration took approximately 6 days |
| March 2025 | Sandworm vs 20 facilities | CERT-UA reveals Sandworm plan to attack 20 energy, water, and heating companies across 10 regions of Ukraine |
| Mid-2025 | AI in attacks | Russian hackers experiment with AI-generated malware and attack automation |
Five Trends That Changed Cybersecurity
1. Critical Infrastructure as a Direct Target
The conflict crossed a line that had been respected for years, even in state-sponsored operations - deliberate attacks on civilian infrastructure providing heat, water, and electricity.
Sandworm (APT44), operating under Russia’s GRU, conducted a campaign in 2025 alone against 20 energy, water, and heating companies across 10 regions of Ukraine. CERT-UA confirmed that at least 3 of these attacks exploited compromised supply chains.
TIP
Attacks on critical infrastructure are often coordinated with missile strikes - the goal is to maximize the destructive effect. OT organizations should treat kinetic escalation as a trigger for heightened cyber vigilance.
2. New Classes of OT Malware
FrostyGoop is a turning point. Until 2024, only a handful of malware specimens were known to directly target industrial protocols (Stuxnet, Industroyer, TRITON). FrostyGoop added the first tool exploiting Modbus TCP on port 502.
| OT Malware | Year | Protocol | Target | Effect |
|---|---|---|---|---|
| Stuxnet | 2010 | S7comm (Siemens) | Uranium enrichment centrifuges | Physical destruction of 984 centrifuges |
| Industroyer | 2016 | IEC 101, IEC 104, OPC DA, IEC 61850 | Power substation | One-hour power outage |
| TRITON | 2017 | TriStation (Triconex) | Petrochemical SIS | Emergency shutdown (a bug in the malware saved lives) |
| FrostyGoop | 2024 | Modbus TCP | Heating plant controllers | 600+ buildings without heating at -20 degrees C |
Standard antivirus software did not detect FrostyGoop - the malware blended into normal network traffic on port 502. This underscores the critical importance of OT network segmentation and anomaly monitoring in industrial protocols.
3. Blurring the Line Between State and Cybercrime
One of the most enduring effects of the conflict is the erosion of the divide between state operations and cybercrime:
- State recruitment - cybercriminal groups are directed toward strategic objectives
- Tool diffusion - malware developed for military purposes enters the criminal ecosystem
- Hacktivism as a facade - groups such as CyberVolk and Killnet combine ideology with ransomware as a funding source
- Sanctions as a motivator - economic restrictions create additional motivation for state-sponsored cybercrime
The number of Russian sabotage operations nearly tripled between 2023 and 2024, following a fourfold increase between 2022 and 2023.
4. Industrial-Scale Hacktivism
The conflict triggered an unprecedented wave of hacktivism on both sides:
IT Army of Ukraine - a crowdsourced cyber army operating with the support of Ukraine’s GUR/SBU. In June 2024, it carried out one of the largest DDoS attacks in history, paralyzing Russian banks (VTB, Sberbank, Alfa-Bank) and the Mir payment system.
Pro-Russian groups (Killnet, NoName057(16)) - systematically attack government websites and services in countries supporting Ukraine, including Poland.
New OT actors - in 2025, the groups Z-Pentest and SECT0R16 claimed to have gained access to SCADA systems of solar power plants in Germany and hydroelectric plants in France, publishing screenshots of control panels.
WARNING
Hacktivism normalizes cyberattacks as a form of protest. But the line between “activism” and a state operation is deliberately blurred - making attribution and an adequate defensive response more difficult.
5. Disinformation as a Multi-Vector Element
The mass weaponization of disinformation is the fifth dimension of the cyber conflict. Cybercriminals adopt the methods of disinformation campaigns for their own purposes:
- Phishing impersonating humanitarian organizations and fundraisers for Ukraine
- Social engineering campaigns exploiting emotions related to the conflict
- Deepfakes and AI-generated content to manipulate public opinion
- Disinformation as preparation for a cyberattack (diversion)
Consequences for Poland and the EU
Poland, as one of the countries most strongly supporting Ukraine, is particularly exposed to Russian hybrid operations.
| Threat Dimension | Status 2025 | Source |
|---|---|---|
| Probing of energy infrastructure | Dozens of attempts daily | ABW / NPR |
| DDoS attacks on government institutions | Regular, Killnet/NoName057 | CERT Polska |
| Undersea cable sabotage | Elevated risk in the Baltic region | CEPA |
| Agent recruitment via Telegram | ”Disposable agents” for small sums | ABW |
| Espionage vs NATO | Intensification since 2022, targets: PL, LT, LV, NO, DK | CCCS Canada |
| Viasat KA-SAT attack (2022) | Thousands of modems in PL, DE, FR, IT disabled | NSA/CISA |
The NIS2 Directive, which came into force in 2024, directly addresses some of these threats - imposing incident reporting obligations and supply chain risk management requirements on critical infrastructure operators.
Geopolitical Threat Readiness Checklist
- Review threat intelligence assumptions for conflict-related threats
- Update incident response plans to include data destruction (wiper) scenarios
- Strengthen monitoring of critical infrastructure, including OT protocols
- Verify IT supply chain security - at least 3 suppliers were compromised in the Sandworm 2025 campaign
- Prepare procedures for large-scale DDoS attacks
- Train employees to recognize disinformation and phishing campaigns
- Establish cooperation with CERT Polska and industry ISACs (FS-ISAC, E-ISAC)
- Implement Defense in Depth in OT environments
- Network segmentation of industrial networks in accordance with IEC 62443
- Anomaly monitoring in Modbus, OPC UA, DNP3 traffic
- Resilience testing against state-sponsored scenarios (red team with APT assumptions)
- Review backup and recovery procedures for destructive attacks (not ransomware)
TIP
The key difference in preparing for geopolitical threats vs typical cybercrime: state-sponsored attacks aim for destruction (not ransom), have virtually unlimited resources and time, and their goal is to maximize damage. Standard incident response procedures designed for ransomware may be insufficient.
Conclusions
The Russia-Ukraine conflict has permanently changed the cyber threat landscape. Five trends - attacks on civilian infrastructure, new OT malware, blurring the state-crime boundary, industrial hacktivism, and the weaponization of disinformation - will not disappear with the eventual end of hostilities.
For organizations in Poland and the EU, this means cybersecurity must be treated as part of a broader geopolitical risk management strategy. The question is not “will we be a target” - but “are we prepared for an attack that does not seek ransom, but aims to destroy.”
Sources:
- ENISA Threat Landscape 2022
- ENISA Threat Landscape 2025
- CERT-UA - Cyberattacks on Ukraine increased by 70% in 2024
- CyberScoop - FrostyGoop ICS Malware
- Industrial Cyber - CERT-UA details Sandworm plan to disrupt 20 critical infrastructure facilities
- The Record - Russian hackers turn to AI as old tactics fail
- CSIS - Russia’s Shadow War Against the West
- CEPA - The Hybrid Threat Imperative
- NPR - Russia’s hybrid warfare rattles Poland and NATO
- Trustwave - Three Years of Cyber Warfare
- Stanford FSI - Russian Cyber Operations Against Ukrainian Critical Infrastructure
- Small Wars Journal - Ukraine’s IT Army
Need help in this area?
Our experts will help you assess the risk and plan next steps.